Open meztez opened 10 months ago
I'm thinking using the options package would maybe open up an attack vector, because of this line here: https://github.com/dgkf/options/blob/a2c110229f844de49b3dbb56bb0a19542b92899a/R/envvars.R#L168
I'm going to ice this one for now.
@meztez Currently, envvar_eval_or_raw
is a default parameter to options::option_spec()
. We could easily supply a safe version when defining the plumber option spec and we'd be fine.
The option_spec()
handles the extra args supplied to define_option.character()
.
So we could use a helper function to define the options (setting the envvar_fn
value for every option):
# Copied from https://github.com/dgkf/options/blob/a2c1102/R/envvars.R#L1-L4
# Sets up pretty printing
fn_with_desc <- function(f, desc) {
attr(f, "desc") <- desc
f
}
# Keep sys env var as raw string only
plumber_envvar_raw <- fn_with_desc(
function(raw, name, ...) {
raw
},
"string"
)
define_plumber_option <- function(...) {
options::define_option(
...,
envvar_fn = plumber_envvar_raw
)
}
# Ex usage
define_plumber_option(
option = "port",
default = NULL,
desc = paste(
"Port Plumber will attempt to use to start http server.",
"If the port is already in use, server will not be able to start."
)
)
Noted, still have to figure out what to do with options_plumber, return values. Probably do not want to change the behavior. Options does not have an opt<-
equivalent yet. Integrating httpproblems at the moment.
Pending a doc ordering issue in options package.
https://github.com/dgkf/options/pull/7
PR task list:
devtools::document()